When you're creating and updating web distributions by using the CloudFront console and you want to configure CloudFront
to require HTTPS between the viewer and CloudFront or between CloudFront and the origin, lets you view a list of ACM certificates.

This permission isn't required if you aren't using the CloudFront console.

cloudfront:*

Lets you perform all CloudFront actions.

cloudwatch:DescribeAlarms and cloudwatch:PutMetricAlarm

Let you create and view CloudWatch alarms in the CloudFront console. See also sns:ListSubscriptionsByTopic and
sns:ListTopics.

These permissions aren't required if you aren't using the CloudFront console.

cloudwatch:GetMetricStatistics

Lets CloudFront render CloudWatch metrics in the CloudFront console.

This permission isn't required if you aren't using the CloudFront console.

elasticloadbalancing:DescribeLoadBalancers

When creating and updating web distributions, lets you view a list of Elastic Load Balancing load balancers in the list of
available origins.

This permission isn't required if you aren't using the CloudFront console.

iam:ListServerCertificates

When you're creating and updating web distributions by using the CloudFront console and you want to configure CloudFront
to require HTTPS between the viewer and CloudFront or between CloudFront and the origin, lets you view a list of certificates in the
IAM certificate store.

This permission isn't required if you aren't using the CloudFront console.

s3:ListAllMyBuckets

When you're creating and updating web and RTMP distributions, lets you perform the following operations:

View a list of S3 buckets in the list of available origins

View a list of S3 buckets that you can save access logs in

This permission isn't required if you aren't using the CloudFront console.

This permission isn't required if you aren't using the CloudFront console.

sns:ListSubscriptionsByTopic and sns:ListTopics

When you create CloudWatch alarms in the CloudFront console, lets you choose an SNS topic for notifications.

These permissions aren't required if you aren't using the CloudFront console.

waf:GetWebACL and waf:ListWebACLs

Lets you view a list of AWS WAF web ACLs in the CloudFront console.

These permissions aren't required if you aren't using the CloudFront console.

AWS Managed (Predefined) Policies for CloudFront

AWS addresses many common use cases by providing standalone IAM policies that are created and administered by AWS.
These AWS managed policies grant necessary permissions for common use cases so that you can avoid having to investigate
what permissions are needed. For more information, see
AWS Managed Policies in the
IAM User Guide. For CloudFront, IAM provides two managed policies:

You can review these permissions policies by signing in to the IAM console and searching for specific policies there.
You can also create your own custom IAM policies to allow permissions for CloudFront API operations. You can attach these
custom policies to the IAM users or groups that require those permissions.

Customer Managed Policy Examples

You can create your own custom IAM policies to allow permissions for CloudFront API actions. You can attach these custom policies
to the IAM users or groups that require the specified permissions. These policies work when you are using the CloudFront API,
the AWS SDKs, or the AWS CLI. The following examples show permissions for a few common use cases. For the policy that grants a
user full access to CloudFront, see Permissions Required to Use the CloudFront Console.

The cloudfront:ListCloudFrontOriginAccessIdentities permission allows users to automatically grant
to an existing origin access identity the permission to access objects in an Amazon S3 bucket. If you also want users to be able to
create origin access identities, you also need to allow the cloudfront:CreateCloudFrontOriginAccessIdentity
permission.

Example 3: Allow Creation and Listing of Invalidations

The following permissions policy allows users to create and list invalidations. It includes read access to CloudFront distributions
because you create and view invalidations by first displaying settings for a distribution: